August 5, 1999 First evidence seen at the UW
of programs being installed on Solaris systems in what appeared
to be "mass" intrusions.

August 17, 1999 Attack on the University
of Minnesota reported to UW network operations and security teams.

September 2, 1999 Contents of a stolen account used
to cache files was recovered

September 27, 1999 CERT provided with first draft
of trinoo analysis

Early October 1999 CERT goes through the painful
process of reviewing hundreds of Solaris intrusion reports
and finds many match the trinoo analysis. They arrange the
Distributed System Intruder Tools Workshop (the first time
they have done this.)

October 15, 1999 CERT mails out invitations to the
DSIT workshop.

October 23, 1999 Final draft of trinoo analysis
and TFN analysis finished in preparation for the DSIT workshop.

November 2-4, 1999 DSIT workshop held in Pittsburgh.
It is agreed by attendees that it is important to not
panic people, but instead provide meaningful steps to deal with
this new threat. All attendees are asked to keep information
about DDoS programs private until we all finish a report on how
to respond.

December 17, 1999
(According to
USA
Today article)
NIPC director Michael Vatis briefs Attorney General Janet Reno
as part of an overview of preparations being made for Y2K

December 27, 1999 As final work on
analysis of "stacheldraht", a scan of the UW network was made
with "gag" (included in the stacheldraht analysis), which found
three active agents which were traced to a handler in the
southern US. The ISP and their upstream provider were able to
identify over 100 agents in this network.

January 14, 2000 Attack on OZ.net in
Seattle affects Semaphore and UUNET customers (affecting as
much as 70% of Puget Sound Internet users, and possibly other
sites in the US -- no national press attention until January 18.)

January 17, 2000 ICSA.net organizes Birds
of a Feather (BOF) session on Distributed Denial of Service attacks
at RSA 2000 conference in San Jose.

February 7, 2000 Talk by Steve Bellovin
on Denial of Service attacks, and another ICSA.net DDoS BOF at
NANOG meeting in San Jose. First attacks on eCommerce sites begin.

Important (in my opinion) points about the timeline

Technical details of the developing DDoS tools was not
available to federal agencies until late September and
early October.

It took CERT time to review a large set of intrusions and
determine the best way to respond (without causing a panic
reaction by the general public.)

CERT announced the DDoS tools in mid November 1999, and
shortly after published an Incident Note and Advisory.
Any sites paying attention to CERT Incident Notes and
Advisories learned of trinoo, TFN, and TFN2K in November
and December.

Anyone reading BUGTRAQ learned of trinoo and TFN on
December 7, 1999 and stacheldraht on December 30, 1999.

NIPC's advisory and tool came out just after the technical
analyses were published, but because all
three commonly used DDoS tools were discussed publically by
late December it seems to me to
be overly critical to say the government "failed" to warn
eCommerce sites before February 7, 2000. They could have
learned about them from CERT's Incident Note, DSIT Workshop
Report, and postings to BUGTRAQ in November and December.